Solved: Migrating Single site cluster to multisite cluster...

KulvinderSingh · ‎01-17-2024

Hi AlI,

I have a very specific migration. I am migrating from 5 indexer single site cluster to a 4 indexer multisite cluster 2 indexers each site.

I have couple of questions around it?

first thing is current indexers are all hot storage - want to change this in new hardware to hot and cold and as Splunk appsizing is no more available need help with some calculations?

secondly how to make sure that data from 5 indexers is not missed while migrating to 2?

regards,

Kulvinder Singh

@richgalloway @PickleRick @gcusello

PickleRick · ‎01-17-2024

1. Please don't call out specific people with your question. I don't want to sound rude but people are giving their own spare time providing help here, it's not a Splunk support service. Doing so can even lower the chance of you getting help from people you mention.

2. There is no such thing as "all hot storage". You may not have separate storage units for hot/warm and cold storages but that doesn't mean that your buckets are not in those states.

Honsetly, this whole project seems a bit complicated and will require some decent planing. There are several different approaches you could take with this - adding another site, replicating data, then resizing indexers and removing old ones. Or spinning up a new environment and copying over the data (that can be tricky to identify all buckets). It is definitely a project you should get either PS involved or your friendly local Splunk partner with experienced team because there are several things that can go wrong (and if you don't prepare properly, most probably will).

View solution in original post

gcusello · ‎01-17-2024

Hi @KulvinderSingh ,

as @PickleRick said, please don't call out specific people with your question because we have limited time for answering to your question and you limit your possibility to receive an answer from other people.

Anyway, here is documented how to migrate from a single site to a multisite cluster https://docs.splunk.com/Documentation/Splunk/9.1.2/Indexer/Migratetomultisite

About the other question: no you don't loose any data and, as @PickleRick said, using Warm or Cold storage is a different configuration with no relation with the multisite cluster, it's a configuration of each single index of your infrastructure, infact you have to do this in indexes.conf files instead of server.conf file.

Ciao.

Giuseppe

PickleRick · ‎01-17-2024

1. Please don't call out specific people with your question. I don't want to sound rude but people are giving their own spare time providing help here, it's not a Splunk support service. Doing so can even lower the chance of you getting help from people you mention.

2. There is no such thing as "all hot storage". You may not have separate storage units for hot/warm and cold storages but that doesn't mean that your buckets are not in those states.

Honsetly, this whole project seems a bit complicated and will require some decent planing. There are several different approaches you could take with this - adding another site, replicating data, then resizing indexers and removing old ones. Or spinning up a new environment and copying over the data (that can be tricky to identify all buckets). It is definitely a project you should get either PS involved or your friendly local Splunk partner with experienced team because there are several things that can go wrong (and if you don't prepare properly, most probably will).

KulvinderSingh · ‎01-17-2024

Thanks @PickleRick @gcusello

Migrating Single site cluster to multisite cluster.

administration

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases